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DETAILED ACTION 

1 . This final action is in response to communications filed on 5/5/2006. 

2. Claims 1-6, 9-13, 16-19, 21-22, 24 have been amended and claims 25-28 have 
been cancelled. Thus, claims 1-24 are pending. 

Claim Rejections - 35 USC § 112 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

Claim 13 is rejected under 35 U.S.C. 112, second paragraph, as being indefinite for 

failing to particularly point out and distinctly claim the subject matter which applicant 

regards as the invention. 

Claim 13 recite the limitation "the suggested action" in line 1. There is insufficient 
antecedent basis for this limitation in the claim. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form 
the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

3. Claims 1-7, 10-19 are rejected under 35 U.S.C. 102(b) as being anticipated by 
Teller-Kanzler et al (EP 0999489 A2). 
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For claim 1, Teller Kanzler et al teach a computer-implemented method for 
managing risk related to a security risk event (abstract 57), the method 
comprising: 

receiving information relating to a particular security risk event (s4 in 

Fig 6; lines 20-36 of column 3); 

processing, by a computer (lines 3-6 of column 4), the information 
received to associate the received information with risk variables 
related to particular risk event (s5 in Fig 6; lines 54 of page 3 through line 
10 of page 4); and 

calculating a security level using the processed information and a set of 
relationships established between the risk variables (lines 11-17 of 
column 4). 

For claim 2, note line 15 of column 4, which mentions that the degree of business risk is 
assessed. 

For claim 3, note 16 of Fig 1, which mentions organizational environment. Level 1 - 
level 5 of Fig 1 shows the degree of security level that the business facility can have. 
Thus, the security level comprises a security confidence level indicative of how secure a 
particular facility can be made relative to a particular security risk event. 

For claim 4, note 18, 20 and 22 of Fig 2, Fig 3 and Fig 4, which mention security level in 
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business commitment, policies, standards and security services. The 5 levels of 18, 20 
and 22 can be indicative of how secure a particular practice can be made relative to a 
particular security risk event. 

For claim 5, lines 12-20 of column 12 mention that the organization can graduate from 
one level to next level when it reaches a certain score. Thus, security level comprises a 
security maintenance level indicative of a level of security that should be maintained in 
relation to an analyzed security risk event. 

For claim 6, note lines 41-42 of column 2, which mention that the method develops a 
security infrastructure, which recommends solutions to deal with such threat. Thus, the 
method generates a suggested security measure according to the calculated security 
level and structured information. 

For claim 7, note lines 29-41 of column 12, which mention that the score is used by 
business managers within the organization to make decision if they are satisfied with 
the particular level in light of the risk to the business of the organization. Therefore, the 
information received, the security stand of business and suggested security measures 
are stored for further consideration of business managers. Thus, the method comprises 
the step of: storing the information received, the security level and the suggested 
security measure. 
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For claim 10, note cell 11 of level 4 in Fig 3, which mentions that the determination of 
level of protection required for information assets is made. Thus, the suggested security 
measure comprises physical protection of media containing information relating to the 
transaction. 

For claim 1 1 , note the 5 th cell of level 5 in Fig 4, which mention about full integration 
between physical security and information security. Thus, the suggested security 
measure comprises physical protection of a facility associated with the security risk. 

For claim 12, cell 12 of level 5 in Fig 4 mentions about organization wide dissemination 
of security alerts, which is a physical protection of a building. Thus, the suggested 
security measure comprises physical protection of a building associated with a business 
transaction. 

For claim 13, note cells 3 and 4 of level 5 in Fig 5, which mention that the help desk and 
organization wide reporting of security incidents. Thus, the suggested action comprises 
notifying an authority regarding potential breach of security. 

For claim 14, lines 16-18 of column 12 mention that the score is used to determine if the 
organization can move from one level to next level. Thus, the score is an indicative of 
suggested security measure, which is a set of relationships between variables defined 
in ISEM grid. 
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For claim 15, note lines 24-27 of column 2, which mention that the information security 
infrastructure furnishes classifying the degree of risk associated with information asset. 
Thus, the level of analysis utilized in the calculation of the security level is rated 
according to a classification. 

For claim 16, note lines 6-10 of column 4, which mention about the weighting of the 
categorized information security characteristics. Thus, the calculation comprises a level 
of weighting associated with a category of risk variables. 

For claim 17, lines 12-25 of column 12 mention that the characteristics within a cell of 
ISEM grid is weighted according to it's importance and a score is computer. Thus, the 
calculation comprises aggregating multiple weightings of risk variables. 

For claim 18, note line 22 of column 12, which mentions about the use of decision tree, 
a relationship algorithm. Thus, the calculation comprises a relationship algorithm that 
determines which variables affect other variables. 

For claim 19, note line 22 of column 12, which mentions about the use of decision tree, 
a relationship algorithm. In addition, lines 12-16 of column 12 mention about the 
weighting of cells according to importance. The decision tree structure defines the 
relationship among variables, including the weighting. Thus, the calculation comprises a 
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relationship algorithm that determines how first variable effect weighting of other 
variables. 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

Claim 1, 6, 8-9, 22-24 are rejected under 102(e) as being anticipated by Townsend (US 
Patent Application Publication 2002/01 88861 ). 

For claim 1, Townsend teaches a computer implemented method for managing risk 

related to a security risk event (Fig 1), the method comprising: 

receive in formation relating to a particular security risk event (110 in Fig 1 
receives information about identified parameters such as countermeasures, 
which are directly related to a particular risk event); 

processing by a computer, the information received to associate the received 
information with risk variables related to the particular security risk event (the 
received information is associated with Tables of Fig 3A, Fig 3B and Fig 4, 
which comprises risk variables. The variables are related to the particular risk 
event); 
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and calculating a security level (150) using the processed information and a 
set of relationships established between the risk variables (115, 120, 130, 
135, 140 show how the security level is calculated using the processed 
information and the relationship between risk variables). 

For claim 6, 145 provides the suggestion or recommendation. 

For claim 8, 180 in Fig 1 shows the generation of diligence report. 

For claim 9, Fig 6 shows the report, which comprises inquiries made ("no specific 
training identified") and security measures executed ("courses available") 

For claims 22, Townsend teaches the following limitations: 

A computerized system for managing risk related to a particular security risk 
event (Fig 1-7), the system comprising: 

a computer server (730) accessible with a system access device (700, 

724) via a communications network (726, 728, 722); 

and executable software stored on the server and executable on 

demand ([0061] of page 5), the software operative with the server to 

cause the system to: 
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o receiving information relating to the particular security risk event 

(Fig 2); 

o structuring the information received according to risk variables (Fig 
4); and 

o calculating a security level using the structured information and a 
set of relationships established between the risk variables (130, 135 
and 140 in Fig 1) 

For claim 23, the system of Towsend uses software to calculate security level. Thus, the 
software tool has to be feed with the information as shown in Fig 2 by an electronic 
means, since computer itself is an electronic device. 

For claims 24 and 25, the system of Towsend must have the corresponding instruction 
code and data signal to implement the system of claim 22. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 20-21 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Teller-Kanzler et al (EP 0999489 A2). 
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For claims 20-21, Teller-Kanzler et al do not teach recalculation of security level 
explicitly. 

However, lines 13-16 of column 14 of Teller-Kanzler et al mention that the various 
modifications would be apparent to ordinary skill in the art and the disclosure is intended 
to cover all such modifications. 

In addition, [0049] of column 12 mention that the managers use the score to determine 
whether they are satisfied with the level of organization in light of risk. Since, the new 
information or chronology of events may change the security level of the organization, 
recalculation is necessary to obtain the correct level of the organization in light of risk. 
One ordinary skill in the art would have been motivated to recalculate the security level 
responsive to new information and/or progression of chronology of events in the system 
of Teller-Kanzler et al, since these events/information may make the change of score of 
the security level. In that case, management may feel that the existing level calculated 
by the method is not a proper reflection of security model in light of new information or 
progressive chronology of events. They may want to verify that the new set of received 
information/progressive events still verifies the security level of the entity by 
recalculating the security level in receipt of new information. 

Response to Arguments 

Applicant's arguments filed on 5/5/2006 have been fully considered but they are not 
persuasive. 



Application/Control Number: 10/074,583 



Art Unit: 21 16 



Page 1 1 



Applicant argues that Teller-Kanzler does not disclose a method that includes receiving 
information related to a particular security risk event. 

Examiner disagrees. Lines 30-33 of column 14 of Teller-Kanzler describe that 
information regarding one or more information security characteristic is received. 
Therefore, information regarding particular security characteristic (or, security risk 
event) is received. Lines 20 — 36 of column 3 mention that Teller-Kanzler receives 
information that is indicative of a predefined risk level for the information security. 
Therefore, the information indicates the risk level about one or more security 
characteristics. Thus, the information is related to a particular risk event. 

Applicant further argues that the information received by the Townsend method is not 
related to a particular security risk event. 

Examiner disagrees. [0024] mentions that the questionnaire is tailored to solicit 
information consistent with the parameters identified above. The information can be 
related to a countermeasure as [0024] describes that the questionnaire will ask about 
training when training is identified as countermeasure. Countermeasures have defined 
relationship with attacks as shown in Fig 3B. Therefore, information related to a 
particular countermeasure is in fact information related to a particular security risk 
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event, as countermeasures are directly related to particular risk event. Therefore, the 
received information is related to particular security risk event. 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy 
as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Fahmida Rahman whose telephone number is 571-272- 
8159. The examiner can normally be reached on Monday through Friday 8:30 - 5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Lynne Browne can be reached on 571-272-3670. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 



Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). 



Fahmida Rahman 

Examiner 

Art Unit 21 16 




LYNNE H. BROWNE 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 



